Greetings from Portsmouth, New Hampshire!
It’s hard to believe 2019 is coming to a close, but here we are, at the precipice of a new year and decade. Looking back, this was an eventful year in privacy news.
Of course, much of the focus here in the U.S. was understanding how to operationalize the California Consumer Privacy Act. This was no easy task since the California Legislature went through an extensive amendment process, which was not finalized until the governor signed amendments in October. To add on, the California attorney general released draft regulations for the law, but those won’t be finalized until sometime in 2020. If those developments were not protean enough, Alastair Mactaggart doubled-down at the IAPP Privacy. Security. Risk. conference in Las Vegas by offering up new, more stringent legislation that could be placed on the state’s ballot in November 2020. If enough signatures are collected, the proposed California Privacy Rights Act will go on the ballot, just like its CCPA cousin.
Legislative activity was up in other states in 2019, as well. For a while, it looked like Washington was going to pass its own comprehensive privacy law (by the way, a draft version of it is floating around for 2020), until, at the last minute, it was shelved. Texas, Illinois, Hawaii, New York, New Jersey, Vermont, among others were in the privacy law game. It led us to create a comprehensive privacy law comparison chart. I suspect we’ll continue to see a flurry of state-based legislative activity in 2020. Who will be the next state to pass a comprehensive law?
Amid all this state-level activity, Capitol Hill is also seriously working of federal privacy legislation. True, a year or two ago, it may have been impossible to imagine a federal law, but even with a divided political spectrum undergoing an impeachment inquiry ahead of the 2020 presidential elections, we’re seeing comprehensive draft bills from both the Democrats and Republicans in the House and Senate. Just this week, the House Committee on Energy and Commerce released draft legislation. Last month, Sen. Maria Cantwell, D-Wash., and Sen. Roger Wicker, R-Miss., each released draft laws that have a ton of overlap. Notably, both proposals include requirements for privacy officers, a major development for the privacy profession. No doubt, the two big elephants in the room are preemption and private rights of action, but there’s plenty to work with, and who knows, maybe a deal is possible sooner rather than later.
This past year was also a big one for the industry of privacy. The privacy tech marketplace, though still new and growing, is beginning to mature. We saw a couple huge acquisitions in the space. In the spring, OneTrust acquired DataGuidance, and just last month, TrustArc acquired Nymity. After receiving a $200 million cash infusion, OneTrust also became the privacy tech industry’s first “unicorn,” with an evaluation exceeding $1 billion. Venture capital is clearly making its way into the space, another sure sign of the growth of privacy. Scalable solutions brought forward by more than 200 privacy tech vendors will continue to be a powerful tool for privacy pros navigating an increasingly complex ecosystem.
International data transfers has also been a significant topic this year and will surely be one of the front-and-center issues in 2020. Just yesterday, the advocate general for the Court of Justice of the European Union released his nonbinding opinion in the so-called “Schrems II” case involving standard contractual clauses. Upon first glance, he recommends that SCCs remain valid – good news! — but, ominously, the advocate general highlighted potential issues with the EU-U.S. Privacy Shield framework. Our own Caitlin Fennessy, who formerly served as director of Privacy Shield, shared her analysis of the opinion, so be sure to check it out. The long and short of it is that uncertainty for transferring data from the EU to the U.S. remains, and we’ll have to wait until 2020 to hear the final ruling from the CJEU.
Rest assured, we’ll continue to be on top of all the major developments in 2020. We’re just days away from the CCPA’s implementation date, so hopefully you’re up to speed. Either way, the editorial team here at the IAPP wishes you all happy holidays, and may the new year bring you good fortune. We’re going to take a little break next week, but we’ll be back in 2020 with our sleeves rolled up, ready to dig in. It’s going to be another busy year.